In Syria’s Civil War, Facebook Has Become a Battlefield

In September, attackers took over a Facebook group used by Syrian opposition supporters, and posted this message to trick readers into installing spyware.

Computer security researchers are accustomed to disturbing things popping up in their debuggers: zero-day exploits against unpatched security holes; sketchy JavaScript from compromised websites; sneaky, obfuscated code that has to be stripped down layer by layer to get to the truth of what it does.

But nothing prepared Morgan Marquis-Boire for what he saw last October while analyzing the contents of a malicious ZIP file found in Syria: a video of a civilian male being brutally slaughtered with a knife, then rolled into a shallow grave.

“Unthinkingly, once I’d managed to extract everything I actually watched the video, which I shouldn’t have done,” says Marquis-Boire. “It was actually really horrible. … It was probably one of the most traumatic days of malware analysis sitting at a desk in San Francisco that I’ve ever had.”

For the last two years cyberwarriors loyal to Bashar al-Assad have made cyberspace a second front in the Syrian conflict. For nearly as long, Marquis-Boire and his colleagues Eva Galperin and John Scott-­Railton have been tracking and analyzing the arsenal of computer malware used against the Syrian opposition, journalists and NGOs. It’s a very different kind of forensic analysis than researchers usually perform — urgent, chaotic, and with human lives on the line.

That’s because the spyware circulating in Syria is used specifically to gather intelligence that winds up, according to the researchers, in the hands of the Assad regime, where it guides raids, attacks and arrests. In some cases, the military has rounded up suspected rebels and interrogated them about activities they conducted on their computers, without having seized the machine.

“This is a malware campaign in the middle of a hot conflict,” says Marquis-Boire. “The stakes are very high. The consequences of becoming victims are very real.”

The latest report from the researchers, to be released today by Citizen Lab and the EFF, notes a dip in new malware campaigns in the aftermath of the Assad regime’s August sarin gas attack in Ghouta, as though the prospect of U.S. intervention was restraining the attackers. As the threat of U.S. reprisals faded in the weeks that followed, the malware kicked up again.

The attackers use off-the-shelf remote-access tools like Xtreme RAT, which lets intruders remotely monitor the victim’s keystrokes and display. Their attacks use increasingly sophisticated social-engineering dodges to snare victims with targeted Trojan horses sent in e-mail or planted in web forums and social media used by opposition groups and supporters. The malware is baited with fake security and encryption tools or anti-Assad videos or photos.

The execution video Marquis-Boire encountered in October was delivered in a phishing attack against the administrator of an NGO operating in Syria. “Serious video – it shows the malice of al-Assad’s military,” read the subject line. The link went to a ZIP file, and within that file was a Windows executable that played the video and installed Xtreme RAT.

“The video is probably from somewhere else,” says Citizen Lab’s John Scott­-Railton. “Something that people pass around or something that’s online.”

In another attack in September, someone apparently hijacked the Facebook group of the pro-opposition Revolution Youth Coalition on the Syrian Coast, and posted a message directing readers to a download link purporting to document the July checkpoint killing of a well-known opposition commander. “The truth about killing Abu Basir al­Adkani has been revealed,” said the post. The link actually went to a Windows executable file that delivered the njRAT malware, programmed to report to a command-and-control server in Syrian IP space.

Facebook users began posting warnings to not follow the link; the attackers used their moderation powers to delete the warnings as they appeared.

The security researchers first began tracking the Syrian cyberwar so they could rapidly warn malware targets about each new campaign. These days, they say, awareness is pretty high, and their work now is driven largely by fascination over how the conflict is evolving online.

“I think now people are far more aware of the dangers of this type of activity, and in some ways they understand that this type of soft target surveillance is ongoing,” says Scott­-Railton. “So what becomes interesting is the nature of the way the campaigns unfold. This is probably the largest single body of attacks that we’ve compiled.”